Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods

US 10,848,523 B2
Filed: 06/15/2020
Issued: 11/24/2020
Est. Priority Date: 06/10/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented data processing method for analyzing data transfers, the method comprising:

accessing, by one or more computer processors, a data transfer log entry representing a data transfer between a particular data asset and a second system, the data transfer log entry comprising a network address for the particular data asset and a network address for the second system;

determining, by one or more computer processors, an identity of the particular data asset based at least in part on the network address for the particular data asset;

determining, by one or more computer processors, a geographical location of the second system based at least in part on the network address for the second system;

accessing, by one or more computer processors based at least in part on the identity of the particular data asset, a data map associated with the particular data asset;

determining, by one or more computer processors based at least in part on the data map, a plurality of authorized geographical locations associated with the particular data asset;

comparing, by one or more computer processors, the geographical location of the second system to the plurality of authorized geographical locations associated with the particular data asset;

determining, by one or more computer processors based at least in part on the comparison of the geographical location of the second system to the plurality of authorized geographical locations associated with the particular data asset, that the geographical location of the second system is an unauthorized geographical location by determining that the geographical location of the second system is not among the plurality of authorized geographical locations associated with the particular data asset;

at least partially in response to determining that the geographical location of the second system is an unauthorized geographical location, generating, by one or more computer processors, a notification comprising an indication that the geographical location of the second system is an unauthorized geographical location, wherein;

the data transfer between the particular data asset and the second system has not yet been completed; and

the method further comprises, at least partially in response to determining that the geographical location of the second system is an unauthorized geographical location, taking one or more actions to stop the data transfer between the particular data asset and the second system before the data transfer has been completed.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In particular embodiments, a Cross-Border Visualization Generation System is configured to: (1) identify one or more data assets associated with a particular entity; (2) analyze the one or more data assets to identify one or more data elements stored in the identified one or more data assets; (3) define a plurality of physical locations and identify, for each of the identified one or more data assets, a respective particular physical location of the plurality of physical locations; (4) analyze the identified one or more data elements to determine one or more data transfers between the one or more data systems in different particular physical locations; (5) determine one or more regulations that relate to the one or more data transfers; and (6) generate a visual representation of the one or more data transfers based at least in part on the one or more regulations.

934 Citations

19 Claims

1. A computer-implemented data processing method for analyzing data transfers, the method comprising:
- accessing, by one or more computer processors, a data transfer log entry representing a data transfer between a particular data asset and a second system, the data transfer log entry comprising a network address for the particular data asset and a network address for the second system;
  
  determining, by one or more computer processors, an identity of the particular data asset based at least in part on the network address for the particular data asset;
  
  determining, by one or more computer processors, a geographical location of the second system based at least in part on the network address for the second system;
  
  accessing, by one or more computer processors based at least in part on the identity of the particular data asset, a data map associated with the particular data asset;
  
  determining, by one or more computer processors based at least in part on the data map, a plurality of authorized geographical locations associated with the particular data asset;
  
  comparing, by one or more computer processors, the geographical location of the second system to the plurality of authorized geographical locations associated with the particular data asset;
  
  determining, by one or more computer processors based at least in part on the comparison of the geographical location of the second system to the plurality of authorized geographical locations associated with the particular data asset, that the geographical location of the second system is an unauthorized geographical location by determining that the geographical location of the second system is not among the plurality of authorized geographical locations associated with the particular data asset;
  
  at least partially in response to determining that the geographical location of the second system is an unauthorized geographical location, generating, by one or more computer processors, a notification comprising an indication that the geographical location of the second system is an unauthorized geographical location, wherein;
  
  the data transfer between the particular data asset and the second system has not yet been completed; and
  
  the method further comprises, at least partially in response to determining that the geographical location of the second system is an unauthorized geographical location, taking one or more actions to stop the data transfer between the particular data asset and the second system before the data transfer has been completed.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The computer-implemented data processing method of claim 1, wherein determining the identity of the particular data asset based at least in part on the network address for the particular data asset comprises performing a reverse network address look-up to obtain identifying information associated with the particular data asset.
  - 3. The computer-implemented data processing method of claim 2, further comprising identifying the data map associated with the particular data asset based at least in part on the identifying information associated with the particular data asset.
  - 4. The computer-implemented data processing method of claim 1, wherein determining the geographical location of the second system based at least in part on the network address for the second system comprises:
    - performing a reverse network address look-up to obtain location identifying information associated with the second system; and
      
      determining the geographical location of the second system based at least in part on the location identifying information.
  - 5. The computer-implemented data processing method of claim 1, further comprising, at least partially in response to determining that the geographical location of the second system is an unauthorized geographical location, taking one or more actions to prevent future transfers of data between the particular data asset and the second system.
  - 6. The computer-implemented data processing method of claim 1, wherein the network address for the particular data asset is an IP address and the network address for the second system is an IP address.

7. A non-transitory computer-readable medium storing computer-executable instructions for:
- receiving, at one or more computer processors, a data transfer log entry representing a data transfer between a first system and a second system, the data transfer log entry comprising a network address for the first system and a network address for the second system;
  
  determining, by one or more computer processors based at least in part on the network address for the first system, that the first system is a data asset associated with a particular entity;
  
  determining, by one or more computer processors based at least in part on the network address for the first system, a data asset identifier for the first system;
  
  determining, by one or more computer processors based at least in part on the network address for the second system, that the second system is not associated with the particular entity;
  
  determining, by one or more computer processors based at least in part on the data asset identifier for the first system, a data map associated with the first system;
  
  accessing, by one or more computer processors, the data map associated with the first system;
  
  analyzing, by one or more computer processors, the data map to determine whether the second system is authorized to perform data transfers with the first system;
  
  determining, by one or more computer processors based at least in part on the analysis of the data map, that the second system is not authorized to perform data transfers with the first system;
  
  at least partially in response to determining that that the second system is not authorized to perform data transfers with the first system, taking, by one or more computer processors, one or more actions, wherein;
  
  the data transfer between the first system and the second system has not yet been completed; and
  
  the one or more actions comprise one or more actions to stop the data transfer between the first system and the second system before the data transfer has been completed.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The non-transitory computer-readable medium of claim 7, wherein the non-transitory computer-readable medium further stores computer-executable instructions for determining a geographical location for the second system based at least in part on the network address for the second system.
  - 9. The non-transitory computer-readable medium of claim 8, wherein analyzing the data map to determine whether the second system is authorized to perform data transfers with the first system comprises determining whether the geographical location for the second system is included in the data map.
  - 10. The non-transitory computer-readable medium of claim 9, wherein determining, based at least in part on the analysis of the data map, that the second system is not authorized to perform data transfers with the first system comprises determining that the geographical location for the second system is included in a plurality of unauthorized geographical locations included in the data map.
  - 11. The non-transitory computer-readable medium of claim 9, wherein determining, based at least in part on the analysis of the data map, that the second system is not authorized to perform data transfers with the first system comprises determining that the geographical location for the second system is not included in a plurality of authorized geographical locations included in the data map.
  - 12. The non-transitory computer-readable medium of claim 7, wherein determining, based at least in part on the analysis of the data map, that the second system is not authorized to perform data transfers with the first system comprises determining that the second system is not included in a plurality of authorized systems included in the data map.

13. A data transfer analysis data processing system comprising:
- one or more computer processors;
  
  computer memory; and
  
  a non-transitory computer-readable medium storing computer-executable instructions that, when executed by the one or more computer processors, cause the one or more computer processors to perform operations comprising;
  
  detecting, at the one or more computer processors, an initiation of a data transfer between a data asset and a second system by detecting a generation of a data transfer log entry indicating the data transfer between the data asset and the second system, the data transfer log entry comprising an identifier of the data asset and a network address for the second system;
  
  determining, by the one or more computer processors based at least in part on the network address for the second system, a geographical location for the second system;
  
  determining, by the one or more computer processors based at least in part on the identifier of the data asset, a data map associated with the data asset;
  
  analyzing, by the one or more computer processors, the data map to determine whether the geographical location for the second system is among a plurality of geographical locations indicated in the data map associated with the data asset;
  
  determining, by the one or more computer processors based at least in part on the analysis of the data map, that the second system is not authorized to perform data transfers with the data asset;
  
  at least partially in response to determining that that the second system is not authorized to perform data transfers with the data asset, terminating, by the one or more computer processors, the data transfer between the data asset and the second system; and
  
  at least partially in response to determining that that the second system is not authorized to perform data transfers with the data asset, generating, by the one or more computer processors, a notification that the data transfer between the data asset and the second system has been terminated.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The data transfer analysis data processing system of claim 13, wherein the identifier of the data asset comprises an IP address of the data asset.
  - 15. The data transfer analysis data processing system of claim 13, wherein determining the geographical location for the second system comprises performing a reverse network address look-up using the network address for the second system.
  - 16. The data transfer analysis data processing system of claim 15, wherein determining, based at least in part on the analysis of the data map, that the second system is not authorized to perform data transfers with the data asset comprises determining that the geographical location for the second system is not among a listing of a plurality of authorized geographical locations included in the data map.
  - 17. The data transfer analysis data processing system of claim 15, wherein determining, based at least in part on the analysis of the data map, that the second system is not authorized to perform data transfers with the data asset comprises determining that the geographical location for the second system is among a listing of a plurality of unauthorized geographical locations included in the data map.
  - 18. The data transfer analysis data processing system of claim 13, wherein the data asset is one of a transfer asset or a storage asset.

19. A data processing system for identifying potential transfers of data, the system comprising:
- data transfer log entry reception means for receiving a data transfer log entry representing a data transfer between a first system and a second system, the data transfer log entry comprising a network address for the first system and a network address for the second system;
  
  data asset determination means for determining, based at least in part on the network address for the first system, that the first system is a data asset associated with a particular entity;
  
  data asset identification determination means for determining, based at least in part on the network address for the first system, a data asset identifier for the first system;
  
  the data asset determination means for determining, based at least in part on the network address for the second system, that the second system is not associated with the particular entity;
  
  data map acquisition means for determining, based at least in part on the data asset identifier for the first system, a data map associated with the first system;
  
  data map access means for accessing the data map associated with the first system;
  
  data map analysis means for analyzing the data map to determine whether the second system is authorized to perform data transfers with the first system;
  
  data transfer authorization means for determining, based at least in part on the analysis of the data map, that the second system is not authorized to perform data transfers with the first system; and
  
  unauthorized data transfer response means for, at least partially in response to determining that that the second system is not authorized to perform data transfers with the first system, taking one or more actions, wherein;
  
  the data transfer between the first system and the second system has not yet been completed; and
  
  the one or more actions comprise one or more actions to stop the data transfer between the first system and the second system before the data transfer has been completed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
OneTrust LLC
Original Assignee
OneTrust LLC
Inventors
Brannon, Jonathan Blake, Kveen, Bryan Patrick, Patton-Kuhl, Dylan D.
Primary Examiner(s)
Khatri, Anil

Application Number

US16/901,979
Publication Number

US 20200314147A1
Time in Patent Office

162 Days
Field of Search

717100-110, 717116-120
US Class Current
CPC Class Codes

G06F 15/76   Architectures of general pu...

G06F 16/9038   Presentation of query results

G06F 16/904   Browsing; Visualisation the...

G06F 16/95   Retrieval from the web

G06F 21/552   involving long-term monitor...

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6245   Protecting personal data, e...

G06N 20/00   Machine learning

H04L 41/12   Discovery or management of ...

H04L 63/102   Entity profiles

H04L 63/107   wherein the security polici...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/20   for managing network securi...

Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

934 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Data processing systems for data-transfer risk identification, cross-border visualization generation, and related methods

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

934 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links